1. Field of the Invention
The present invention relates to an apparatus and a method of giving a warning message to a user or denying an access to an object by monitoring whether higher-privileged processes depend on information provided from lower-privileged objects. Herein, a program means an executing program or a portion thereof, and an object means a medium used to store, read, alter or exchange information. Examples of the object may be files, registry keys, and so forth.
2. Description of the Related Art
Since Windows Vista has been opened to the public in 2007, much attention is being paid on main security mechanisms of Windows Vista. A mandatory integrity control (MIC), which is one of the main security mechanisms of the Window Vista, classifies an object such as a file, a folder and a registry key into a variety of integrity levels, e.g., Untrusted (lowest integrity level), Low, Medium, High, System and Installer (highest integrity level), and also adds integrity levels to processes. Thus, a lower integrity level process has a limited write privilege on an upper integrity level object. Of course, such a security mechanism has been used from the past although there is a difference in viewpoint between current and past security mechanisms.
Also in Unix environment, users are also classified into several levels, and a user having an administrator privilege can access files of all other users but general users are not allowed to access files of the user having the administrator privilege. In this way, objects are classified into several privileged levels and a process is allowed to access only lower- or equal-privileged objects, thereby protecting the objects safely, which is a classical security concept.
However, since Windows Vista advanced from such a classical security concept and interacts with the Internet, Windows Vista introduced the MIC so as to restrict an access to an object of a user privilege executing a web browser which may contain a serious security threat. That is, even if a control of a web browser is taken over an attacker due to some weaknesses, it is impossible to perform an illegal write operation upon user and system files, folders and registry keys of Medium or higher integrity level because the web browser is assigned the Low integrity level.
However, such a security concept has been developed to protect objects so that it is usefully protect the objects but cannot protect processes. There is no problem if all objects that a process accesses to acquire information have equal privilege levels. However, the process may access a lower-privileged object, which is problematic. If a update process of a relatively high privilege (hereinafter, referred to as ‘higher-privileged update process’) acquires update information from a file of a relatively low privilege (hereinafter, referred to as ‘lower-privileged object), a lower-privileged malicious process alters the file so that the higher-privileged update process takes the malicious file for the update file and installs the malicious file. Resultingly, an illegal privilege escalation occurs because the lower-privileged malicious process can execute a desired activity with a high privilege. Therefore, the higher-privileged update process should confirm the availability of information necessarily when receiving the information from the lower-privileged object, and should not access the lower-privileged object if possible. However, such a problem may always exist due to an inexperienced operation or an error of software design, and may be a cause of privilege escalation weakness.
For example, the MIC of Windows Vista classifies all main objects such as files, registries, processes and folders into several privilege levels, i.e., Untrusted, Low, Medium, High, System and Installer, and allows an object having a privilege level equal to or lower than a privilege level of a process to perform write/read operations. That is, a ‘High’ level process has write/read privileges upon ‘Untrusted’, ‘Low’, ‘Medium’ and ‘High’ level objects. However, a ‘Low’ level process has write/read privileges upon ‘Untrusted’ and ‘Low’ level objects but has only a read privilege upon ‘Medium’ level or higher-privileged objects.
Although the MIS of Windows Vista is advantageous in that it is possible to safely protect higher-privileged objects by restricting a write privilege upon the higher-privileged objects, there may be a problem due to the read privilege as describe above.
Likewise, users also have different privilege levels in Windows, Windows NT, Linux, Unix, OS/2 and MAC system. That is, an administrator in all the Windows system including Windows Vista has the highest privilege level corresponding to a root of the Unix system, and general user accounts having limited privileges commonly exist in both the Windows system and the Unix system. In addition, various privilege levels exist in each a system, and a process executed by a higher-privileged user is allowed to access, i.e., write/read, an equal- or lower-privileged object while operating with a corresponding user privilege. Such a layered user privilege is also used to protect a higher-privileged object against a process executed by a lower-privileged user.
However, it is necessary to remove a risk occurring when a higher-privileged process performs a read operation on a lower-privileged object.
In the present invention, the case where a higher-privileged process accesses a lower-privileged object is defined as a privilege level violation, and such a process accessing the lower-privileged object is referred to as a privilege level violation process (hereinafter, this will be also referred to as a violation process for simplicity).